[mapserver-users] mapserver cgi-bin security

Jim Klassen klassen.js at gmail.com
Fri Nov 29 11:51:24 PST 2019


You didn't provide enough information to give specific recommendations.  
However, generally there are some things you can do.

Look at the environment variables MapServer supports for selecting the 
mapfile.  If you let that pass into the QUERYSTRING, someone can specify 
the map= paramater multiple times and I'm not sure which one takes 
precedence.

Look for:
     MS_MAPFILE
     MS_MAPFILE_PATTERN
     MS_MAP_NO_PATH

Also, make sure you set the VALIDATION blocks in your mapfiles for any 
substitution parameters you allow in from the request.

You should avoid allowing substitutions into the DATA field (assuming 
here that SQL injection means your mapfile is hitting a database without 
a fixed SQL statement).

As as a defense in depth measure, you should make sure that the account 
MapServer uses to connect to your database has the minimum privileges 
necessary (generally only SELECT on a handful of tables).

I'm not sure what running through that script is getting you except for 
slowing down the response time and opening you up to potential bugs in 
your script and bash.  You can set environment variables and filter 
based on method directly in Apache (and I presume other common web 
servers as well).

On 11/25/19 4:19 AM, Sebastiano Laini wrote:
>
> Hi All,
>
> We submitted our new system to a pen-test and apparently is pretty 
> easy to be infected by SQL-injection, anyone came across this before?
>
> We run the feature layer through a cgi-bin request, see the script below
>
> #! /bin/sh
>
> MAPSERV="/var/…/cgi-bin/mapserv"
>
> MAPFILE="/var/…/twfeat.map"
>
> if [ "${REQUEST_METHOD}" = "GET" ]; then
>
>    if [ -z "${QUERY_STRING}" ]; then
>
>       QUERY_STRING="map=${MAPFILE}"
>
>    else
>
> QUERY_STRING="map=${MAPFILE}&${QUERY_STRING}"
>
>    fi
>
>    exec ${MAPSERV}
>
> else
>
>    echo "Sorry, I only understand GET requests."
>
> fi
>
> exit 1
>
> how can you sanitize or implement security layers?
>
> Kind Regards,
>
> Sebastiano Laini
>
> Web Developer
>
> Buchanan Computing
>
>
> _______________________________________________
> mapserver-users mailing list
> mapserver-users at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-users/attachments/20191129/83c2d6b4/attachment.htm>


More information about the MapServer-users mailing list